Skip to main content

Page topics

General
9
Getting started with HAQM Detective
11
Working in the HAQM Detective console
3
HAQM Detective for AWS Security Hub
5
HAQM Detective for HAQM Security Lake
4
HAQM Detective for HAQM Elastic Kubernetes Service (HAQM EKS)
4

General

Open all

HAQM Detective makes it easier to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. HAQM Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

HAQM Detective simplifies the investigative process and helps security teams conduct faster and more effective investigations. HAQM Detective’s prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and extent of possible security issues. HAQM Detective maintains up to a year of aggregated data and makes it easily available through a set of visualizations that shows changes in the type and volume of activity over a selected time window, and links those changes to security findings. There are no upfront costs and you pay only for the events analyzed, with no additional software to deploy or log feeds to enable.

HAQM Detective extracts time-based events such as login attempts, API calls, and network traffic from AWS CloudTrail, HAQM Virtual Private Cloud (HAQM VPC) Flow Logs, HAQM GuardDuty findings, AWS Security Hub findings, and HAQM Elastic Kubernetes Service (HAQM EKS) audit logs. Detective creates a behavior graph that utilizes machine learning (ML) to create a unified, interactive view of your resource behaviors and their interactions over time, specifically for these time-based events. By exploring the behavior graph, you can analyze security events such as failed login attempts, suspicious APIs call, or finding groups to help you in investigating the root cause of your AWS Security Findings.

Threat actors often perform a series of actions when attempting to compromise your AWS environment, which can result in multiple security findings across your AWS resources. Finding groups are collections of security findings and resources that are associated with a single potential security incident you should investigate together. Finding groups can help reduce triage time because you don’t have to investigate each individual security finding separately. You can start your investigation with finding groups, which offer a more complete understanding of the incident. It also offers interactive visualizations that allows you to explore specific findings and insights using generative AI to describe the chain of events in natural language. For more information read Analyzing finding groups.

Automated investigations allow you to investigate AWS Identity and Access Management (IAM) entities, such as IAM users or roles, to determine if these entities are potentially compromised. Automated investigations achieve this by querying your behavior graph and using machine learning to identify if the IAM entity exhibits anomalous behavior or shows indicators of compromise (IoC). These IoCs may include potentially malicious activities, such as impossible travel logins, associations with known bad IP address, and a history of security findings. Instead of analyzing AWS CloudTrail logs and developing your own scripts to spot suspicious activity, you can save time by using automated investigations to answer questions like, ‘has this IAM role been used in impossible travel logins?’ or ‘was this IAM role session used by a known bad IP address?’, or ‘what tactics, techniques, and procedures (TTP) did this IAM principal role trigger during a security event?’ For more information, please refer to the HAQM Detective user guide.

HAQM Detective pricing is based on the volume of data ingested from AWS CloudTrail logs, HAQM VPC Flow Logs, HAQM Elastic Kubernetes Service (HAQM EKS) audit logs, HAQM GuardDuty findings, and findings sent from integrated AWS services to AWS Security Hub. You are charged per Gigabyte (GB) ingested per account/region/month. HAQM Detective maintains up to a year of aggregated data for its analysis. Please see the HAQM Detective pricing page for the latest pricing information. HAQM EKS and AWS Security Hub findings are optional data sources which you can disable if you don’t want Detective to ingest those data sources.

Yes, any new account to HAQM Detective can try the service for 30-days at no cost. You will have access to the full feature set during the free trial.  

HAQM Detective needs to be enabled on a region by region basis and enables you to quickly analyze activity across all your accounts within each region. This ensures all data analyzed is regionally based and doesn’t cross AWS regional boundaries.

The regional availability of HAQM Detective is listed here: AWS Region Table.

Getting started with HAQM Detective

Open all

HAQM Detective can be enabled with a few clicks in the AWS Management console. Once enabled HAQM Detective automatically organizes data into a graph model and the model is continuously updated as new data becomes available. You can experience HAQM Detective and begin investigating for potential security issues.

You can enable HAQM Detective from within the AWS Management Console or by using the HAQM Detective API. If you are already using the HAQM GuardDuty or AWS Security Hub Consoles, you should enable HAQM Detective with the same account that is the administrative account in HAQM GuardDuty or AWS Security Hub to enable the best cross-service experience.

Yes, HAQM Detective is a multi-account service that aggregates data from monitored member accounts under a single administrative account within the same region. You can configure multi-account monitoring deployments in same way that you configure administrative and member accounts in HAQM GuardDuty and AWS Security Hub.

HAQM Detective enables customers to view summaries and analytical data associated with HAQM Virtual Private Cloud (HAQM VPC) Flow Logs, AWS CloudTrail logs, HAQM Elastic Kubernetes Service (HAQM EKS) audit logs, AWS Security Hub findings, and HAQM GuardDuty findings.

Yes, you can use HAQM Detective if you do not have HAQM GuardDuty activated in the account. You can use HAQM Detective to get detailed summaries, analysis, and visualizations of the behaviors and interactions amongst your AWS accounts, EC2 instances, AWS users, roles, and IP addresses. This information can be very useful in understanding security issues or operational account activity. HAQM GuardDuty is a service in the Prescriptive Guidance - AWS Security Reference Architecture (SRA) as part of the “Key implementation guidelines of the AWS SRA”.

HAQM Detective starts collecting log data as soon as it is enabled and provides visual summaries and analytics on the ingested data. HAQM Detective also provides comparisons of recent activity against historical baselines which are established after two weeks of account monitoring.

Yes, you can export AWS CloudTrail logs and HAQM VPC Flow Logs using an integration with HAQM Security Lake. You can review how the integration works under the ‘HAQM Detective for HAQM Security Lake section’.

HAQM Detective conforms to the AWS shared responsibility model, which includes regulations and guidelines for data protection. Once enabled, HAQM Detective will process data from AWS CloudTrail logs, HAQM VPC Flow Logs, HAQM EKS audit logs, findings sent from integrated AWS services to AWS Security Hub, and HAQM GuardDuty findings for any accounts where it has been turned on.

HAQM Detective has no impact on the performance or availability of your AWS infrastructure since HAQM Detective retrieves the log data and findings directly from the AWS services.

HAQM GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With AWS Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as HAQM GuardDuty, HAQM Inspector, and HAQM Macie, as well as from AWS Partner solutions. HAQM Detective simplifies the process of investigating security findings and identifying the root cause. HAQM Detective analyzes trillions of events from multiple data sources such as HAQM VPC Flow Logs, AWS CloudTrail logs, HAQM EKS audit logs, findings sent from integrated AWS services to AWS Security Hub, and HAQM GuardDuty findings and automatically creates a graph model that provides you with a unified, interactive view of your resources, users, and the interactions between them over time.

HAQM Detective enables you to analyze and visualize security data from your AWS CloudTrail logs, HAQM VPC Flow Logs, HAQM EKS audit logs, findings sent from integrated AWS services to AWS Security Hub, and HAQM GuardDuty findings. To stop HAQM Detective from analyzing these logs and findings for your accounts please disable the service by using the API or from the settings section in the AWS Console for HAQM Detective.

Working in the HAQM Detective console

Open all

HAQM Detective provides a variety of visualizations that present context and insights about AWS resources such as AWS accounts, EC2 instances, users, roles, IP addresses, and HAQM GuardDuty findings. Each visualization is designed to answer specific questions that may come up as you analyze findings and the related activity. Each visualization provides textual guidance that clearly explains how to interpret the panel and use its information to answer your investigative questions.

HAQM Detective supports cross-service user  workflows by supporting console integrations with HAQM GuardDuty, AWS Security Hub, and HAQM Security Lake. GuardDuty and Security Hub provide links from within their consoles that redirect you from a selected finding directly to an HAQM Detective page containing a curated set of visualizations for investigating the selected finding. HAQM Detective provides pre-built queries based on your investigations that can query and download log files from HAQM Security Lake. The findings detail page in HAQM Detective is already aligned to the timeframe of the finding and shows relevant data associated with the finding.

Various partner security solution providers have integrated with HAQM Detective to enable investigation steps within their automated playbooks and orchestrations. These products present links from within the response workflows that redirect users to HAQM Detective pages containing visualizations curated for investigating findings and resources identified within the workflow.

HAQM Detective for AWS Security Hub

Open all

Once enabled, HAQM Detective automatically and continuously analyzes and correlates user, network, and configuration activity for AWS services integrated with AWS Security Hub. HAQM Detective automatically ingests security findings forwarded from AWS security services to AWS Security Hub through the optional data source called AWS Security Findings.

AWS Security Hub supports integrations with several AWS Services. With the expectation of sensitive data findings from HAQM Macie, you’re automatically opted in to all other AWS service integrations with Security Hub. If you’ve turned on Security Hub and any of the integrated services, those services will send findings to Security Hub. Detective ingests those findings and adds them to your graph so you can conduct security investigations for all integrated AWS Services. Those services include AWS Config, AWS Firewall Manager, HAQM GuardDuty, AWS Health, AWS Identity and Access Management Access Analyzer, HAQM Inspector, AWS IoT Device Defender, HAQM Macie, and AWS Systems Manager Patch Manager.

By default, AWS security findings are enabled as a data source for new accounts using Detective. You may need to enable this data source if you were using Detective before support for AWS security findings was released. You can follow the steps listed in AWS security findings from the Administrative Guide to confirm data sources for Detective. This data source should be enabled for each region where you plan to use Detective.

HAQM Detective consumption of AWS security findings designed to not affect the performance of your AWS security services, as HAQM Detective consumes the security findings using independent and duplicative log streams. In this manner, HAQM Detective consumption of your AWS security findings will not increase your costs for using AWS Security Hub or any integrated AWS security service.

HAQM Detective consumption of AWS security findings is priced based on the volume of findings processed and analyzed by HAQM Detective. HAQM Detective provides a free 30-day trial to all customers that enable AWS security findings, allowing customers to ensure that HAQM Detective capabilities meet their security needs and to get an estimate of the service’s monthly cost before committing to paid usage.

No, HAQM Detective will only charge once for findings sent from each service. 

HAQM Detective for HAQM Security Lake

Open all

After integrating the two services, HAQM Detective can query and retrieve AWS CloudTrail logs and HAQM Virtual Private Cloud (HAQM VPC) Flow Logs from HAQM Security Lake for your security investigations. You can use this integration to start your investigations in HAQM Detective and preview or download specific AWS CloudTrail logs or HAQM VPC Flow Logs if you need additional details stored in the logs. For example, if you’re investigating suspicious activity from an IAM user for the past 24 hours, you can use HAQM Detective to get a summary of services the IAM user interacted with under API method panel. If you observe interactions with services that represent a potential security issue like API calls to describe roles, you can download AWS CloudTrail logs for that IAM user. HAQM Detective will provide a pre-built SQL query using HAQM Athena scoped to the time and entity (the past 24 hours for the IAM user) under investigation, making your query and log retrieval easier. This integration helps save you time by eliminating the need to craft the SQL query from scratch, and you can preview and download the results without having to leave the HAQM Detective console.

To enable the integration between the two services, you will need to run an HAQM CloudFormation template. This template creates a subscriber account with sufficient permissions to query and consume logs from HAQM Security Lake and deploys additional AWS services in your account used to query and download logs. You can review what the HAQM CloudFormation template deploys in the HAQM Detective User Guide.

You will be charged for each service according to HAQM Detective pricing and HAQM Security Lake pricing. Additionally, you will incur charges for each query using HAQM Athena, and there will be charges for the additional AWS services deployed in your account to support the integration. You can use the AWS pricing calculator to estimate the total cost for integrating the two services.

Yes. You will need to run the HAQM CloudFormation template in each AWS Region where you want to integrate HAQM Detective with HAQM Security Lake. 

HAQM Detective for HAQM Elastic Kubernetes Service (HAQM EKS)

HAQM Detective for HAQM Elastic Kubernetes Service (HAQM EKS)

Open all

Once enabled, HAQM Detective automatically and continuously analyzes and correlates user, network, and configuration activity across your HAQM EKS workloads. HAQM Detective automatically ingests HAQM EKS audit logs and correlates user activities with AWS CloudTrail Management events and network activity with HAQM VPC Flow Logs without the need for you to enable or store these logs manually. The service extracts key security information from these logs and retains them in a security behavioral graph database that enables fast cross-referenced access to twelve months of activity. HAQM Detective provides a data analysis and visualization layer to help you answer common security questions backed by a behavioral graph database that allows you to more quickly investigate potential malicious behavior associated with your HAQM EKS  workloads.

By default, HAQM EKS audit logging is enabled as data source for accounts using Detective. You may need to enable this data source if you were using Detective before support for EKS audit logs was released. You can follow the steps listed in HAQM EKS audit logs for Detective from the Administrative Guide to confirm data sources for Detective. This data source should be enabled for each region where you plan to use Detective.

HAQM Detective's consumption of HAQM EKS audit logs is designed to not affect the performance of your HAQM EKS workloads, as HAQM Detective consumes the audit logs using independent and duplicative audit log streams. In this manner, HAQM Detective's consumption of your HAQM EKS audit logs will not increase your costs for using HAQM EKS.

HAQM Detective's consumption of HAQM EKS audit logs is priced based on the volume of audit logs processed and analyzed by HAQM Detective. HAQM Detective provides a free 30-day trial to all customers that enable HAQM EKS coverage, allowing customers to ensure that HAQM Detective’s capabilities meet their security needs and to get an estimate of the service’s monthly cost before committing to paid usage.

Currently this capability supports HAQM EKS deployments running on EC2 instances in your AWS account. Detective also provides support for HAQM GuardDuty EKS Runtime Monitoring and ECS Runtime monitoring (which includes monitoring for HAQM ECS on Fargate). This capability does not provide visibility into non-managed Kubernetes on EC2 or ES anywhere.